<html>
<head><meta charset="utf-8"><title>stats on vulnerabilities · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/stats.20on.20vulnerabilities.html">stats on vulnerabilities</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="171337421"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/stats%20on%20vulnerabilities/near/171337421" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/stats.20on.20vulnerabilities.html#171337421">(Jul 20 2019 at 18:25)</a>:</h4>
<p>Fun fact: I went through non-DoS vulnerabilities in RustSec advisory DB and counted 16 memory corruption vulns and 5 vulns not related to memory safety. That's very close to the 70% vulns being memory safety issues as reported by M$. Based on this (admittedly limited) sampling it would look like Rust's safety guarantees do not actually make a difference in practice.<br>
But if you factor in DoS then it absolutely dominates the memory safety issues: <a href="https://github.com/rust-fuzz/trophy-case" target="_blank" title="https://github.com/rust-fuzz/trophy-case">https://github.com/rust-fuzz/trophy-case</a> lists so many DoS bugs that the actual memory safety issues are below 10%</p>



<a name="171337477"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/stats%20on%20vulnerabilities/near/171337477" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/stats.20on.20vulnerabilities.html#171337477">(Jul 20 2019 at 18:26)</a>:</h4>
<p>It's not a 1:1 comparison. A lot of the Rust ones are API unsoundness, for many of them it's never been established that it's reachable in real programs. The MS data is CVEs that are all reachable in Windows/Office/Edge/etc.</p>



<a name="171337495"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/stats%20on%20vulnerabilities/near/171337495" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/stats.20on.20vulnerabilities.html#171337495">(Jul 20 2019 at 18:27)</a>:</h4>
<p>If we issued CVEs for C APIs that were unsound... it's literally all of them, there is no notion of soundness.</p>



<a name="171337567"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/stats%20on%20vulnerabilities/near/171337567" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/stats.20on.20vulnerabilities.html#171337567">(Jul 20 2019 at 18:29)</a>:</h4>
<p>To be clear: it's good that we're holding ourselves to a higher standard! But it does mean the data is not immediately comperable.</p>



<a name="171337895"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/stats%20on%20vulnerabilities/near/171337895" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/stats.20on.20vulnerabilities.html#171337895">(Jul 20 2019 at 18:40)</a>:</h4>
<p>I guess the C version of API unsoundness would be "library function behaves differently compared to what documentation says" and would very well apply to M$ libraries or Windows syscalls</p>



<a name="171338664"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/stats%20on%20vulnerabilities/near/171338664" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/stats.20on.20vulnerabilities.html#171338664">(Jul 20 2019 at 19:02)</a>:</h4>
<p>seems like a hard thing to measure/compare without it being apples to oranges. you need some way to also gauge frequency/volume of vulnerabilities (vs LoC I guess) and to accurately compare that vuln discovery and reporting needs to be equally mature.</p>



<a name="171338672"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/stats%20on%20vulnerabilities/near/171338672" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/stats.20on.20vulnerabilities.html#171338672">(Jul 20 2019 at 19:03)</a>:</h4>
<p>there are a lot of people (who don't actively use Rust) who seem overly eager to latch onto any mention of memory unsafety in Rust and use that to speciously claim that Rust isn't living up to its guarantees <span aria-label="cry" class="emoji emoji-1f622" role="img" title="cry">:cry:</span></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>